runas command and user-id monitoring

L4 Transporter

runas command and user-id monitoring

How are you guys managing the "runas" command alongside user-id.  In our test environment, I'm finding with the user-id windows agent, you get the last login event from the domain controller, with the new "runas" user.  Once that times out- no more internet access to the original user, unless you generate an authentication event to the domain controller again.  However, with global protect, if I "runas" a new user- globalprotect (internal only- no tunnel) will NOT update the firewall with the latest user for that program, so the "runas" user, has the rights that the initial user has, per the firewall "show user ip user mapping".    Have you locked this down through other means, such as group policy-etc?  Any insights into this?  I'm guessing there is no priority order for a user-id agent vs. global protect agent? The firewalls user ip user mapping only appears to care about the last login/network interface change that it's seen?

Tags (3)
L7 Applicator

Re: runas command and user-id monitoring

What is your goal? What do you want to accomplish?

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L4 Transporter

Re: runas command and user-id monitoring

How do you accuratley follow/map/update a user based upon the user that is actively traversing the firewall from an endpoint?  It appears that the "runas" command has the ability to break this mapping.

L7 Applicator

Re: runas command and user-id monitoring

Regular users don't run runas usually.

If this is concern then GlobalProtect will overcome this issue as user is identified by account who's credentials were used to log into vpn.

If user knows credentials of other users then (s)he can update GlobalProtect login and still gain access to resources of other person.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L6 Presenter

Re: runas command and user-id monitoring


@Sec101 wrote:

 

I'm guessing there is no priority order for a user-id agent vs. global protect agent? The firewalls user ip user mapping only appears to care about the last login/network interface change that it's seen?

 

 

Correct, it's the most recent update source.

 

Like @Raido  posted, I think if we understand more about what you're trying to accomplish we can more accurate info on what we've seen work.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!